New data shows that Australians are reporting cyber security incidents every 10 minutes and it is costing Australian businesses $29 billion each year — and rising. But it is not just cyber criminals who are the perpetrators of attacks. Foreign interference is also on the rise. The extent of spy networks operating in Australia is alive and well, with foreign interference reaching new levels of concern. The ABC recently reported that the Australian Defence Force shut down a sensitive military database for 10 days, in February 2020, after fears it had been hacked by a nation-state. The database contained personal details of tens of thousands of Australian Defence Force members.
Foreign interference is committed to either disrupt or gain advantage along political, economic, military or industrial lines, and when successful it is conducted covertly. Disruption can be in the form of sabotage or subversion, where advantage can involve the theft of sensitive information or intellectual property.
An example of such foreign interference was the theft of 30GB of data on Australia’s Joint Strike Fighter (F-35), Poseidon (P-8) surveillance plane, smart bombs and several naval vessels. Here the threat actor, considered to be a nation-state, breached a small defence contractor’s systems and exploited the network over an extended period of time. Nation-states, just like cyber criminals, look to take the path of least resistance. Often the path of least resistance lies within the supply chain of the primary target.
Why Australia should adopt the US’s CMMC
The US Department of Defence has become so concerned with the supply chain threat that they have released the cyber security Maturity Model Certification (CMMC). It’s a model that the Australian Government would be smart to follow suit on. It would provide a simple framework that not only aims to protect national interests, but also provides businesses clear direction on cyber security.
The CMMC model consists of five levels of maturity (basic to advanced), with 17 domains of information security and 171 information security requirements mapped to the five levels of maturity. To achieve Level 5, an organisation would need to comply with all 171 controls. However, where a small business tendering for a Defence contract is required to achieve a Level 2 maturity certification, they need only adhere to 72 controls. CMMC will become contractually mandatory for all US Defence contractors and sub-contractors in late 2020, with the level of certification dependent on what information the contractor has access to.
How to deter foreign interference: Steps you can take
Foreign interference is about the long game. It relies on the ability to remain undetected over extended periods of time. The tolerated level of risk to achieve the desired outcome is often higher in a foreign interference operation because the outcomes are so valuable. Whilst many of the methods used by cyber criminals and nation-state actors to gain a foot hold, in an organisation’s network, are similar (such as phishing, credential theft and exploiting unpatched systems), the sophistication of moving laterally and remaining undetected is very different.
For a relatively small price, an average hacker can purchase scripts or programs developed by others to conduct a cyber attack (these individuals are commonly referred to a script kiddies). The method of delivering the payload is often through a phishing attack, playing on the human factor. The rudimentary nature of these scripts often means that the payloads get picked up, even by basic anti-virus or intrusion detection/prevention software.
Nation-states use the same techniques to achieve the foothold, but then use advanced payloads to evade detection. Typically, nation-states gain unauthorised access to networks by delivering advanced persistent threats (APTs), which can only be detected with advanced security information and event management (SIEM) or packet capture (PCAP) software, actively monitoring outward bound traffic flows. In any traditional espionage operation, the asset or individual obtaining the information is critical, and must be protected from detection. When examining foreign interference in a cyber scenario, the APT is the asset and therefore it is critical that it remains undetectable to have ongoing access to networks, systems, and information.
Whilst no industry is immune to foreign interference, the education sector is often a target due to having both direct and indirect access to sensitive information and intellectual property. Often organisations employ universities to develop concepts, build new technologies or prove formulae. This means that universities are filled with incredible amounts of intellectual property that can be exploited by APTs to satisfy a nation-state’s strategic priorities. The recent attack on the Australian National University is an excellent example of a cyber attack on an Australian university using advanced methods to evade detection to covertly extract sensitive information.
Education is Australia’s largest service export and third overall export behind iron ore. Australia is also ranked third in the top study-abroad destinations. The education sector, however, is not just a prime target for nation-states looking to conduct economic disruption. The attraction of foreign students to Australian universities provides significant motivation for nation-states to commit cyber attacks against them. Foreign intelligence agencies look to identify their nationals studying abroad, especially those who have direct or indirect access to sensitive information or intellectual property. These individuals can then be exploited, manipulated or coerced into supporting foreign interference operations.
From cyber criminals exploiting everyday Australians to nation-states covertly committing acts of foreign interference, there are key principles and strategies to defend against a cyber attack. Here are five crucial strategies.
- Baseline your organisation. Understand what the organisation’s current threat landscape is. Next, assess what the exisiting cyber security maturity level is and determine what maturity level the organisation needs to be at to effectively mitigate the identified threats. This will identify high risk gaps that need to be addressed, rather than over investing in unnecessary controls and capabilities.
- Establish a framework. The framework needs to be one that suits the business and can be as simple as the Australian Signals Directorate Essential Eight (specifically designed to mitigate against the most common cyber attacks) or as general as ISO 27001/2 or NIST. The framework should be implemented with relatively minimal disruption. There will always be a change-management piece to bringing in a new way of operating; just make sure that when the organisation begins the transition everyone is on board.
- Security training and awareness. This needs to be well thought out and targeted to business needs. Generic online videos and training are likely to only build complacency and boredom with the program. This is the area to invest in and seek out professionals who can deliver interactive and interesting training to capture the workforce’s attention.
- Test and adjust. Develop metrics to assess the performance of the security controls in place, and test regularly. Establish a lessons-learnt register from the tests conducted, assign responsibilities and ensure you implement the corrective actions identified.
- Have a plan to respond and recover. The recent Toll attack is a perfect example of how a well drilled response plan can ensure that an organisation recovers with relatively minimal damage. Without an effective response plan, the recovery will be an extended process and could be catastrophic for reputation and resources. Therefore, implement an incident response framework (such as NIST), test the plan with desktop and simulation exercises and build your playbooks to effect a response quickly.
Matt Bunker is manager with the BDO cyber security Team. He has extensive and practical experience in mitigating and understanding the threats from foreign interference.